This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

Problem in LDAP-setup

Dec 28th, 2005, 03:10 PM

Friends is there any way to authenticate users using LDAP ,i am working on luntbuild(a build automation tool) which is build using spring framework,i need help in resolving how to configure the authentication properties as i need to authenticate users from luntbuild,any help would be appreciated
Thanks

I've recently been working on an updated LDAP authentication provider which we're looking for feedback on prior to the next release. The code is in CVS (in the package org.acegisecurity.providers.ldap) and there is an LDAP version of the contacts sample application which you can take a look at. It's lacking an LDAP server at the moment, but that will be included later. It should give you an idea of how to set up the configuration.

Comment

Great. Please let us know how you get on as we'd like to iron out any potential problems in advance. I think we may require an extra configuration parameter for Active Directory login using Windows domain-style usernames.

The DN of a group is like cn=APPNAME_ROLE,cn=GROUPS,dc=company,dc=com.
Again rolePrefix is unneccessary in this context.
You can refine the groupSearchFilter e.g. (&(objectclass=groupOfUniqueNames)(uniqueMember={0 }))

Again configuration was easy and works flawlessly.

Comment

@Luke
MS AD is a different beast. I don't think the current implementation is able to use it. (Or did I miss something.)
My problem was that in our domain user and group dns are very deep. Something like cn=Mickey Mouse,ou=FunDepartment,ou=Paderborn,ou=Germany,ou= Europe,dc=Disney,dc=com.
We have about 500+ ous, so listing them all in userDnPatterns is no option, unfortunatelly.

Just an idea:
Extend AbstractLdapAuthenticator (anyone for a good name?)
authenticate should then first bind with managerDn/managerPassword and search for an entry where sAMAccountName matches username. (sAMAccountName should be variable.)
This would give an array of DNs.
Last step is trying to bind all DNs with password. The first that binds without an error is the valid account.

As far as I can see you can also use this to authenticate against Oracle or Domino when anonymous binding is disabled on these plattforms.

Are you working on something like this? Or do you have other ideas/plans? If you need help, I could write some code and test it against our Active Directory domain.

Comment

ok, Acegi can even use MS Active Directory when you read the javadocs.

First it binds using ldapuser/paderborn/germany/company/com, does the search for the username, re-binds with the found dn and then reads the attribute memberOf. (So it is possible! Forget what I said earlier.)

The only problem with this solution is that you get the DN of the group, i.e.
cn=APPNAME_ROLE,ou=groups,ou=paderborn,ou=germany, dc=company,dc=com. This is not very nice in the taglib.

Doing a groupsearch for member={0} and using cn as the result will fix this.

Unfortunatelly in our configuration ou=groups is the second entry in the hierarchy and not the last before dc=company,dc=com.
Maybe creating another initialDirFactory with root DN dc=com and groupSearchBase dc=company will fix this.

Comment

On the groupSearchBase issue, can't you just specify the context above your ou's for germany, india etc?

Alternatively, I can change the code to take an array of DNs and perform the search within each. Or you can extend DefaultAuthoritiesPopulator. I'll have a look at it and see if I can make some improvements.

Comment

thinking about it I guess the current implementation solves 99% of all problems. (The remaining 1% is, when you need all groups for a user and you don't have a OU for all groups.)

For 'normal' applications it is totally ok to specify a fixed OU. If an application needs groups in different OUs you can nest groups in groups.

If I could make a wish I'd prefer a method to look for groups regardless of OU, rather than a list of DNs. [Just for the remaining 1% ;-) ] This would solve the multiple OU-problem without nesting, too.

BTW, keep on with your phantastic work. I convinced my boss to take a look a Spring and Acegi and he was surprised how easy it is to build consistent applications. In the next months we will port all our old Lotus Domino applications to Spring/Acegi.

Comment

I'm trying to test the new LDAP functionality, but recent nightly cvs snapshots fail to build via maven (1.0.2)... it ends in compile errors which I do not have time to go into at the moment. Is there a nigthly build available that includes the latest LDAP packages?

Comment

There were issues with CVS HEAD until early February due to the Apache Directory project having some incompatibilities. Luke ended up building a snapshot, and CVS HEAD works as of this moment. Luke has also been working with the Apache DS team to resolve the incompatibilities.